npm - @juspay/shooter - Versions diffs - 1.0.0 - Mend

@juspay/shooter 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (327) hide show

package/src/routes/api/terminals/+server.ts ADDED Viewed

@@ -0,0 +1,141 @@
+import { validateAuth } from '$lib/modules/server/auth';
+import { ptyManager } from '$lib/modules/server/terminal/pty-manager.js';
+import { json } from '@sveltejs/kit';
+import { realpathSync, statSync } from 'fs';
+import { basename } from 'path';
+import type { RequestHandler } from './$types';
+const ALLOWED_COMMANDS = ['zsh', 'bash', 'sh', 'fish', 'claude', 'opencode'];
+// GET /api/terminals — List all terminals (active + recently exited)
+export const GET: RequestHandler = ({ request }) => {
+  const authError = validateAuth(request);
+  if (authError) {return authError;}
+  try {
+    const terminals = ptyManager.list().map(t => ({
+      args: t.args,
+      clientCount: t.clients.size,
+      command: t.command,
+      createdAt: t.createdAt.toISOString(),
+      currentCwd: t.currentCwd,
+      cwd: t.cwd,
+      exitCode: t.exitCode,
+      exitedAt: t.exitedAt?.toISOString() ?? null,
+      id: t.id,
+      isActive: t.isActive,
+      pid: t.pid,
+      status: t.status,
+    }));
+    return json({
+      count: terminals.length,
+      terminals,
+      timestamp: new Date().toISOString(),
+    });
+  } catch (error) {
+    const err = error as Error;
+    return json({ details: err.message, error: 'Failed to list terminals' }, { status: 500 });
+  }
+};
+// POST /api/terminals — Create a new terminal session
+export const POST: RequestHandler = async ({ request }) => {
+  const authError = validateAuth(request);
+  if (authError) {return authError;}
+  let body: { args?: string[]; cols?: number; command?: string; cwd?: string; rows?: number };
+  try {
+    body = (await request.json()) as {
+      args?: string[];
+      cols?: number;
+      command?: string;
+      cwd?: string;
+      rows?: number;
+    };
+  } catch {
+    return json({ error: 'Invalid JSON in request body' }, { status: 400 });
+  }
+  try {
+    const { args, cols, command, cwd, rows } = body;
+    if (!command) {
+      return json({ error: 'command is required' }, { status: 400 });
+    }
+    // Issue 4: Command allowlist — only allow known safe commands
+    const commandBasename = basename(command);
+    if (!ALLOWED_COMMANDS.includes(commandBasename)) {
+      return json(
+        { error: `Command not allowed. Allowed: ${ALLOWED_COMMANDS.join(', ')}` },
+        { status: 400 },
+      );
+    }
+    if (!cwd) {
+      return json({ error: 'cwd is required' }, { status: 400 });
+    }
+    // Issue 3: Validate cwd — resolve symlinks and restrict to home directory
+    let realCwd: string;
+    try {
+      realCwd = realpathSync(cwd);
+    } catch {
+      return json({ error: 'Invalid working directory' }, { status: 400 });
+    }
+    if (!statSync(realCwd).isDirectory()) {
+      return json({ error: 'Invalid working directory' }, { status: 400 });
+    }
+    const home = process.env.HOME || '';
+    if (home && !realCwd.startsWith(home)) {
+      return json({ error: 'Working directory must be under home directory' }, { status: 400 });
+    }
+    if (args !== undefined && !Array.isArray(args)) {
+      return json({ error: 'args must be an array of strings' }, { status: 400 });
+    }
+    // Issue 1: Validate every element in args is a string
+    if (args && !args.every((a: unknown) => typeof a === 'string')) {
+      return json({ error: 'All args must be strings' }, { status: 400 });
+    }
+    if (cols !== undefined && (typeof cols !== 'number' || cols < 1)) {
+      return json({ error: 'cols must be a positive number' }, { status: 400 });
+    }
+    if (rows !== undefined && (typeof rows !== 'number' || rows < 1)) {
+      return json({ error: 'rows must be a positive number' }, { status: 400 });
+    }
+    const terminal = await ptyManager.create(
+      command,
+      args ?? [],
+      realCwd,
+      cols ?? 80,
+      rows ?? 24,
+    );
+    console.log(
+      `[terminals] Created terminal ${terminal.id} (pid=${terminal.pid}, command=${command})`
+    );
+    return json(
+      {
+        command: terminal.command,
+        createdAt: terminal.createdAt,
+        cwd: terminal.cwd,
+        id: terminal.id,
+        pid: terminal.pid,
+        sessionWs: `/ws/session/${terminal.id}`,
+        ws: `/ws/terminal/${terminal.id}`,
+      },
+      { status: 201 }
+    );
+  } catch (error) {
+    const err = error as Error;
+    return json({ details: err.message, error: 'Failed to create terminal' }, { status: 500 });
+  }
+};

package/src/routes/api/terminals/[id]/+server.ts ADDED Viewed

@@ -0,0 +1,75 @@
+import { validateAuth } from '$lib/modules/server/auth';
+import { ptyManager } from '$lib/modules/server/terminal/pty-manager.js';
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+// GET /api/terminals/:id — Get terminal details by ID
+export const GET: RequestHandler = ({ params, request }) => {
+  const authError = validateAuth(request);
+  if (authError) {return authError;}
+  try {
+    const terminal = ptyManager.get(params.id);
+    if (!terminal) {
+      return json({ error: 'Terminal not found' }, { status: 404 });
+    }
+    return json({
+      args: terminal.args,
+      clientCount: terminal.clients.size,
+      command: terminal.command,
+      createdAt: terminal.createdAt.toISOString(),
+      cwd: terminal.cwd,
+      exitCode: terminal.exitCode,
+      exitedAt: terminal.exitedAt?.toISOString() ?? null,
+      id: terminal.id,
+      lastOutput: terminal.scrollback.length > 0 ? terminal.scrollback[terminal.scrollback.length - 1] : null,
+      pid: terminal.pid,
+      sessionWs: `/ws/session/${terminal.id}`,
+      status: terminal.status,
+      timestamp: new Date().toISOString(),
+      ws: `/ws/terminal/${terminal.id}`,
+    });
+  } catch (error) {
+    const err = error as Error;
+    return json({ details: err.message, error: 'Failed to get terminal' }, { status: 500 });
+  }
+};
+// DELETE /api/terminals/:id — Kill terminal by ID (SIGTERM)
+export const DELETE: RequestHandler = ({ params, request }) => {
+  const authError = validateAuth(request);
+  if (authError) {return authError;}
+  try {
+    const terminal = ptyManager.get(params.id);
+    if (!terminal) {
+      return json({ error: 'Terminal not found' }, { status: 404 });
+    }
+    if (terminal.status === 'exited') {
+      ptyManager.remove(params.id);
+      console.log(`[terminals] Removed exited terminal ${params.id}`);
+      return json({
+        removed: true,
+        success: true,
+        timestamp: new Date().toISOString(),
+      });
+    }
+    ptyManager.kill(params.id);
+    console.log(`[terminals] Killed terminal ${params.id} (pid=${terminal.pid})`);
+    return json({
+      success: true,
+      timestamp: new Date().toISOString(),
+    });
+  } catch (error) {
+    const err = error as Error;
+    return json({ details: err.message, error: 'Failed to kill terminal' }, { status: 500 });
+  }
+};

package/src/routes/api/terminals/[id]/paste-image/+server.ts ADDED Viewed

@@ -0,0 +1,61 @@
+import { validateAuth } from '$lib/modules/server/auth';
+import { json } from '@sveltejs/kit';
+import { mkdirSync, writeFileSync } from 'fs';
+import type { RequestHandler } from './$types';
+// POST /api/terminals/[id]/paste-image — Write clipboard image for a terminal
+export const POST: RequestHandler = async ({ params, request }) => {
+	const authError = validateAuth(request);
+	if (authError) {
+		return authError;
+	}
+	const terminalId = params.id;
+	// Validate terminalId to prevent path traversal
+	if (!/^[A-Za-z0-9_-]+$/.test(terminalId)) {
+		return json({ error: 'Invalid terminal ID' }, { status: 400 });
+	}
+	let body: { image: string };
+	try {
+		body = (await request.json()) as { image: string };
+	} catch {
+		return json({ error: 'Invalid JSON' }, { status: 400 });
+	}
+	if (!body.image || typeof body.image !== 'string') {
+		return json({ error: 'image (base64) is required' }, { status: 400 });
+	}
+	// Decode base64 image
+	let imageBuffer: Buffer;
+	try {
+		// Strip data URI prefix if present
+		const base64Data = body.image.replace(/^data:image\/\w+;base64,/, '');
+		// Validate base64 encoding via round-trip check
+		// Buffer.from silently ignores invalid chars, so verify re-encoding matches
+		const decoded = Buffer.from(base64Data, 'base64');
+		if (decoded.length === 0 || decoded.toString('base64') !== base64Data) {
+			return json({ error: 'Invalid base64 image data' }, { status: 400 });
+		}
+		imageBuffer = decoded;
+	} catch {
+		return json({ error: 'Invalid base64 image data' }, { status: 400 });
+	}
+	// Write to per-terminal clipboard directory
+	const clipboardDir = `/tmp/shooter-clipboard-${terminalId}`;
+	const imagePath = `${clipboardDir}/image.png`;
+	try {
+		mkdirSync(clipboardDir, { recursive: true });
+		writeFileSync(imagePath, imageBuffer);
+	} catch (err) {
+		return json({ details: (err as Error).message, error: 'Failed to write image' }, { status: 500 });
+	}
+	return json({ path: imagePath, size: imageBuffer.length });
+};

package/src/routes/api/terminals/[id]/resize/+server.ts ADDED Viewed

@@ -0,0 +1,60 @@
+import { validateAuth } from '$lib/modules/server/auth';
+import { ptyManager } from '$lib/modules/server/terminal/pty-manager.js';
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+// POST /api/terminals/:id/resize — Resize terminal
+export const POST: RequestHandler = async ({ params, request }) => {
+  const authError = validateAuth(request);
+  if (authError) {return authError;}
+  let body: { cols?: number; rows?: number };
+  try {
+    body = (await request.json()) as { cols?: number; rows?: number };
+  } catch {
+    return json({ error: 'Invalid JSON in request body' }, { status: 400 });
+  }
+  try {
+    const { cols, rows } = body;
+    if (cols === undefined || rows === undefined) {
+      return json({ error: 'cols and rows are required' }, { status: 400 });
+    }
+    if (typeof cols !== 'number' || cols < 1) {
+      return json({ error: 'cols must be a positive number' }, { status: 400 });
+    }
+    if (typeof rows !== 'number' || rows < 1) {
+      return json({ error: 'rows must be a positive number' }, { status: 400 });
+    }
+    if (cols > 500 || rows > 200) {
+      return json({ error: 'cols must be <= 500 and rows must be <= 200' }, { status: 400 });
+    }
+    const terminal = ptyManager.get(params.id);
+    if (!terminal) {
+      return json({ error: 'Terminal not found' }, { status: 404 });
+    }
+    if (terminal.status === 'exited') {
+      return json({ error: 'Terminal already exited' }, { status: 409 });
+    }
+    ptyManager.resize(params.id, cols, rows);
+    console.log(`[terminals] Resized terminal ${params.id} to ${cols}x${rows}`);
+    return json({
+      success: true,
+      timestamp: new Date().toISOString(),
+    });
+  } catch (error) {
+    const err = error as Error;
+    return json({ details: err.message, error: 'Failed to resize terminal' }, { status: 500 });
+  }
+};

package/src/routes/api/webhook/+server.ts ADDED Viewed

@@ -0,0 +1,42 @@
+import { validateAuth } from '$lib/modules/server/auth';
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+type WebhookBody = Record<string, unknown>;
+export const POST: RequestHandler = async ({ request }) => {
+  try {
+    const authError = validateAuth(request);
+    if (authError) return authError;
+    const body = (await request.json()) as WebhookBody;
+    console.log('Webhook received:', {
+      body,
+      headers: Object.fromEntries(request.headers.entries()),
+      timestamp: new Date().toISOString(),
+    });
+    // In a full implementation, this would forward to Claude Code
+    // For now, just log and acknowledge
+    return json({
+      data: body,
+      message: 'Webhook received successfully',
+      success: true,
+      timestamp: new Date().toISOString(),
+    });
+  } catch (error) {
+    const err = error as Error;
+    console.error('Webhook error:', err);
+    return json(
+      {
+        details: err.message,
+        error: 'Failed to process webhook',
+        timestamp: new Date().toISOString(),
+      },
+      { status: 500 }
+    );
+  }
+};

package/src/routes/api/ws-status/+server.ts ADDED Viewed

@@ -0,0 +1,23 @@
+// GET /api/ws-status — Returns the number of connected WebSocket clients.
+//
+// Used by notifier.cjs to decide whether to send an APNs push notification
+// or skip it (because a WebSocket client is already listening for events).
+// If at least one client is connected to the /ws/events channel, the notifier
+// skips the push notification to avoid double-prompting.
+import { validateAuth } from '$lib/modules/server/auth';
+import { getConnectedClientCount } from '$lib/modules/server/ws/server';
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+// ── Endpoint ────────────────────────────────────────────────────────
+export const GET: RequestHandler = ({ request }) => {
+	const authError = validateAuth(request);
+	if (authError) {return authError;}
+	return json({
+		connectedClients: getConnectedClientCount(),
+	});
+};

package/src/routes/api/ws-ticket/+server.ts ADDED Viewed

@@ -0,0 +1,86 @@
+// POST /api/ws-ticket — Generate a short-lived WebSocket authentication ticket.
+//
+// The client presents its Bearer API_KEY here, and receives a single-use ticket
+// (32-byte hex string, valid for 30 seconds). The ticket is then passed as a
+// query parameter on the WebSocket upgrade URL, keeping the long-lived API_KEY
+// out of URL strings (which appear in proxy logs and browser history).
+//
+// Rate limited to 10 requests per minute per API key.
+import { env } from '$env/dynamic/private';
+import { validateAuth } from '$lib/modules/server/auth';
+import { generateTicket } from '$lib/modules/server/ws/ticket-store';
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+// ── Rate limiting ───────────────────────────────────────────────────
+const RATE_LIMIT_WINDOW_MS = 60_000; // 60 seconds
+const RATE_LIMIT_MAX = 10; // max 10 requests per window
+/** Maps API key -> array of request timestamps (epoch ms). */
+const rateLimitMap = new Map<string, number[]>();
+/**
+ * Check and record a request for the given API key.
+ * Returns true if the request is within the rate limit, false if exceeded.
+ */
+function checkRateLimit(apiKey: string): boolean {
+	const now = Date.now();
+	const cutoff = now - RATE_LIMIT_WINDOW_MS;
+	let timestamps = rateLimitMap.get(apiKey);
+	if (!timestamps) {
+		timestamps = [];
+		rateLimitMap.set(apiKey, timestamps);
+	}
+	// Prune timestamps outside the window
+	const recent = timestamps.filter((t) => t > cutoff);
+	rateLimitMap.set(apiKey, recent);
+	if (recent.length >= RATE_LIMIT_MAX) {
+		return false;
+	}
+	recent.push(now);
+	return true;
+}
+// Cleanup stale rate limit entries every 5 minutes
+setInterval(() => {
+	const cutoff = Date.now() - RATE_LIMIT_WINDOW_MS;
+	for (const [key, timestamps] of rateLimitMap) {
+		const recent = timestamps.filter((t) => t > cutoff);
+		if (recent.length === 0) {
+			rateLimitMap.delete(key);
+		} else {
+			rateLimitMap.set(key, recent);
+		}
+	}
+}, 300_000).unref();
+// ── Endpoint ────────────────────────────────────────────────────────
+export const POST: RequestHandler = async ({ request }) => {
+	const authError = validateAuth(request);
+	if (authError) {return authError;}
+	// Extract the API key for rate limiting
+	const apiKey = request.headers.get('authorization')!.substring(7);
+	if (!checkRateLimit(apiKey)) {
+		return json(
+			{ error: 'Rate limit exceeded. Maximum 10 ticket requests per minute.' },
+			{ status: 429 }
+		);
+	}
+	const ticket = generateTicket();
+	return json({
+		expiresIn: 30,
+		ticket,
+	});
+};